>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

A03Software Supply Chain Failures

>Control Description

This was top-ranked in the Top 10 community survey with exactly 50% respondents ranking it #1. Since initially appearing in the 2013 Top 10 as "A9 – Using Components with Known Vulnerabilities", the risk has grown in scope to include all supply chain failures, not just ones involving known vulnerabilities. Despite this increased scope, supply chain failures continue to be a challenge to identify with only 11 Common Vulnerability and Exposures (CVEs) having the related CWEs. However, when tested and reported in the contributed data, this category has the highest average incidence rate at 5.19%. The relevant CWEs are *CWE-477: Use of Obsolete Function, CWE-1104: Use of Unmaintained Third Party Components*, CWE-1329: *Reliance on Component That is Not Updateable*, and *CWE-1395: Dependency on Vulnerable Third-Party Component*. Software supply chain failures are breakdowns or other compromises in the process of building, distributing, or updating software. They are often caused by vulnerabilities or malicious changes in third-party code, tools, or other dependencies that the system relies on. You are likely vulnerable if: * you do not carefully track the versions of all components that you use (both client-side and server-side). This includes components you directly use as well as nested (transitive) dependencies. * the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. * you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. * you do not have a change management process or tracking of changes within your supply chain, including tracking IDEs, IDE extensions and updates, changes to your organization's code repository, sandboxes, image and library repositories, the way artifacts are created and stored, etc. Every part of your supply chain should be documented, especially changes. * you have not hardened every part of your supply chain, with a special focus on access control and the application of least privilege. * your supply chain systems do not have any separation of duty. No single person should be able to write code and promote it all the way to production without oversight from another human being. * components from untrusted sources, across any part of the tech stack, are used in or can impact on production environments. * you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure before fixing vulnerabilities. * software developers do not test the compatibility of updated, upgraded, or patched libraries. * you do not secure the configurations of every part of your system (see [A02:2025-Security Misconfiguration](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)). * your CI/CD pipeline has weaker security than the systems it builds and deploys, especially if it is complex.

>Prevention & Mitigation Strategies

  1. 1.Centrally generate and manage the Software Bill of Materials (SBOM) of your entire software.
  2. 2.Track not just your direct dependencies, but their (transitive) dependencies, and so on.
  3. 3.Reduce attack surface by removing unused dependencies, unnecessary features, components, files, and documentation.
  4. 4.Continuously inventory the versions of both client-side and server-side components (e.g., frameworks, libraries) and their dependencies using tools like OWASP Dependency Track, OWASP Dependency Check, retire.js, etc.
  5. 5.Continuously monitor sources like Common Vulnerability and Exposures (CVE), National Vulnerability Database (NVD), and [Open Source Vulnerabilities (OSV)](https://osv.dev/) for vulnerabilities in the components you use. Use software composition analysis, software supply chain, or security-focused SBOM tools to automate the process. Subscribe to alerts for security vulnerabilities related to components you use.
  6. 6.Only obtain components from official (trusted) sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component (see [A08:2025-Software and Data Integrity Failures](https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/)).
  7. 7.Deliberately choose which version of a dependency you use and upgrade only when there is need.
  8. 8.Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider migrating to an alternative. If that is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.
  9. 9.Update your CI/CD, IDE, and any other developer tooling regularly.
  10. 10.Avoid deploying updates to all systems simultaneously. Use staged rollouts or canary deployments to limit exposure in case a trusted vendor is compromised.
  11. 11.Implement a change management process that tracks changes to CI/CD pipelines, code repositories, sandbox areas, developer IDEs, SBOM tooling and artifacts, logging systems, third-party integrations (SaaS), artifact repositories, and container registries.
  12. 12.Harden your code repository (no checked-in secrets, protected branches, backups), developer workstations (regular patching, MFA, monitoring), build servers and CI/CD (separation of duties, access control, signed builds, environment-scoped secrets, tamper-evident logs), artifacts (integrity via provenance, signing, timestamping; promote rather than rebuild per environment; immutable builds), and infrastructure as code (managed via PRs and version control).

>Attack Scenarios

#1Compromised vendor update (SolarWinds)

A trusted vendor is compromised with malware, leading to your computer systems being compromised when you upgrade. The most famous example of this is probably: * The 2019 SolarWinds compromise that led to ~18,000 organizations being compromised. [https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack](https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack)

#2Conditional supply chain attack (Bybit)

A trusted vendor is compromised such that it behaves maliciously only under a specific condition. * The 2025 Bybit theft of $1.5 billion was caused by [a supply chain attack in wallet software](https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/) that only executed when the target wallet was being used.

#3Self-propagating npm worm (Shai-Hulud)

The [`Shai-Hulud` supply chain attack](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) in 2025 was the first successful self-propagating npm worm. Attacks seeded malicious versions of popular packages, which used a post-install script to harvest and exfiltrate sensitive data to public GitHub repositories. The malware would also detect npm tokens in the victim environment, and automatically use them to push malicious versions of any accessible package. The worm reached over 500 package versions before being disrupted by npm. This supply chain attack was advanced, fast-spreading, and damaging, and by targeting developer machines it demonstrated developers themselves are now prime targets for supply chain attacks.

#4Exploitable component vulnerabilities (Struts, Log4j)

Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws can be accidental (e.g., coding error) or intentional (e.g., a backdoor in a component). Some example exploitable component vulnerabilities discovered are: * CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables the execution of arbitrary code on the server, has been blamed for significant breaches. * CVE-2021-44228 ("Log4Shell"), an Apache Log4j remote code execution zero-day vulnerability, has been blamed for ransomware, cryptomining, and other attack campaigns.

>Related CWEs

CWE-1035
CWE-1395
CWE-1104
CWE-447
CWE-1329
CWE-1357

>References

Ask AI

Configure your API key to use AI features.